iContact Internal Investigation of Spam Emails: Updated

FEBRUARY 18, 2010 UPDATE
We wanted to post an update. We are continuing our investigation of the security incident from earlier this month, and are working with the Raleigh branch of the FBI and the District Attorney’s office. Thank you to everyone who has been helpful to our investigation.

We are also are in the process of implementing our plan to strengthen data security. These steps include strengthening our password policy and access controls, enhancing the logging and monitoring of internal systems and implementing additional authorization controls for systems containing customer data.

We take customer data security extremely seriously and are putting significant focus and assets into enhancing our internal and external security.

FEBRUARY 1, 2010 UPDATE

What Happened?
Early last week we began receiving communications into our technical support team and account management team from a small number of customers (approximately 30-40) that they believed their subscribers were receiving more spam than usual, particularly pharmaceutical spam. These customers believed there was a correlation between the increase in spam and their listing of the subscriber names in their iContact lists as some of their subscribers used unique identifiers to subscribe to their mailing list.

What Are We Doing About This?
Upon receipt of these communications, we launched an investigation, which is ongoing. We have utilized the assistance of certain customers and partners who have submitted information. We reached out to our local bureau of the FBI here in North Carolina to get their assistance. We have taken immediate steps to increase security. Thank you very much to our customers, partners, and friends who have helped us.

What security measures do we already have in place?
We utilize HTTPS, SSL, encryption, firewalls, database controls, system access controls, VPNs, and physical security. We here at iContact take privacy very seriously and per our policies we do not share customer information with third parties for marketing. We host iContact at a SAS 70 type 2 certified datacenter security with audited and certified security practices.

What are we doing now to increase security?
We have several security measures currently in place, and we are reviewing additional measures to increase security, including the following:

Adding additional monitoring and access controls.

Reviewing all internal access.

Verifying the integrity of our existing systems from outside attacks.

Expanding VPN requirements.

Evaluating additional logging capabilities.

Auditing our web, intrusion, and security systems.

Evaluating moving out network operations to our third party.

partner that we currently utilize for hosting and bandwidth.

What data was compromised?
Based on the information we have, the subscriber email address is the only data affected.

What data was not compromised?
Based on the results of our investigation to date, we have no information to indicate any other data has been affected, including:

Credit card data

Customer names

Affiliate names

Who is in charge of this?
Ralph Kasuba, our VP of Technology, David Rasch our Chief Architect, and Bill Bates our Director of Architecture are taking the lead. Ralph and David both report to the CEO. All three have extensive experience in network operations, security, monitoring, logging, data integrity, and architectural design. We have our key senior executives actively involved.

What is our stance on spam?
As you know iContact is strongly opposed to spam and the sending of unsolicited email. We are a member of the Messaging Anti-Abuse Working Group and the Email Experience Council and work with our industry partners including Return Path and Pivotal Veracity to actively fight spam.

What can I do?
If you think you may have been affected or have any information that may be helpful in this investigation, please contact Justin Rauschenberg, Director of Deliverability at justinr@icontact.com.

ORIGINAL POST JANUARY 27, 2010

It has come to our attention that certain individuals in iContact’s customer database have reported that they have received emails from sources other than iContact.

We began actively investigating this on Monday January 25. At this time we do not have any evidence that a breach of security has occurred. If you have any information that may assist us with our investigation please let us know in the comments. We take data security very seriously and per our Privacy Policy we do not share data with third parties. We greatly appreciate the cooperation of our partners and customers.

Please note that due to the desire to keep any information submitted confidential we will not be publishing the comments on this post. Thank you for your help.

Fantastic blog! Do you have any helpful hints for aspiring writers?
I’m hoping to start my own site soon but I’m a little lost on everything.
Would you advise starting with a free platform like WordPress or go for a paid option?

There are so many options out there that I’m totally overwhelmed .. Any recommendations? Thanks a lot!

Trackbacks/Pingbacks

[...] used to register for MacHeist in the past. In early 2010, MacHeist’s then-email processor iContact reported that it was the victim of a security breach that exposed some subscriber email addresses to spammers; it is possible that some of these [...]

[...] addresses used to register for MacHeist in the past. In early 2010, MacHeist's then-email processor iContact reported that it was the victim of a security breach that exposed some subscriber email addresses to spammers; it is possible that some of these [...]